Skip to content
GDPR by Law

European Union · updated 2026-06-15

Portugal

Conditional

Portugal's CNPD is small but decisive — it issued one of the first GDPR fines ever (a hospital, in 2018) and suspended a national census over US transfer risks. Access controls and transfer paperwork get you through here.

Law:
GDPR + Law 58/2019 + Law 41/2004 (ePrivacy)
Regulator:
CNPD (Comissão Nacional de Proteção de Dados)

Cookie consent

Opt-in required

Breach deadline

72 hours

DPA with vendors

Required

Max fine

€20,000,000 or 4% of global annual revenue, whichever is higher

What Portugal requires

Compliance items with their statutory basis. Stamps mark whether each applies to every business or only above certain thresholds.

  1. Privacy policy (política de privacidade)

    Art. 13–14 GDPR

    Portuguese-language privacy notice for consumer services, naming the CNPD as complaint authority.

    How to implement Publish at /privacidade with concrete retention periods and recipient categories; English-only is acceptable for developer-focused B2B tools.

    Required
  2. Cookie consent banner

    Law 41/2004 Art. 5

    Opt-in consent for analytics and marketing cookies with prior blocking.

    How to implement Standard EU CMP configuration with a Portuguese banner; keep consent logs as proof.

    Required
  3. Records of processing (ROPA)

    Art. 30 GDPR

    Standard register of processing activities.

    How to implement Include transfer entries with mechanisms — the CNPD's census suspension turned on inadequate transfer documentation.

    Required
  4. Data protection officer (EPD)

    Art. 37 GDPR

    GDPR-baseline thresholds; notify the CNPD of appointments.

    How to implement Register via the CNPD site and publish contact details in your policy.

    Conditional
  5. Access controls on sensitive data

    Art. 32 GDPR

    Portugal's founding enforcement case was about role-based access — accounts must map to real people with least-privilege permissions.

    How to implement Eliminate shared logins, implement role-based access, and log access to sensitive records. This is the specific failure the CNPD fined first.

    Required
  6. Breach notification process

    Art. 33–34 GDPR

    72-hour CNPD notification plus individual notification for high-risk breaches.

    How to implement Use the CNPD web form; keep the internal register in Portuguese or English.

    Required

The details

Cookie consent
Law 41/2004 requires opt-in consent for non-essential cookies. CNPD follows EDPB guidance: prior blocking, first-layer reject, no cookie walls without a real alternative.
Data Protection Officer
GDPR baseline thresholds. Law 58/2019 details DPO duties for public bodies; private companies follow Art. 37 GDPR.
Processing agreements
Art. 28 GDPR agreements required with all processors. The CNPD's Censos 2021 decision shows it checks transfer clauses inside DPAs, not just their existence.
Breach notification
Notify the CNPD within 72 hours via its online form; document all breaches internally with a risk assessment.
Enforcement in practice
Hospital do Barreiro was fined €400,000 in 2018 — one of Europe's first GDPR fines — for letting non-clinical staff access patient records through shared accounts.

Data subject rights

What users can demand from you in Portugal, and the engineering that satisfies each right.

Right to access

Art. 15 GDPR

Copy of personal data and processing details within one month.

Respond within 30 days with an intelligible explanation of processing.

Right to erasure

Art. 17 GDPR

Deletion when data is no longer necessary or consent withdrawn.

Portuguese tax law requires 10-year retention of accounting documents — cite it as the exemption for financial records.

Right to data portability

Art. 20 GDPR

Machine-readable export of user-provided data.

JSON/CSV export for consent- and contract-based data.

Right to rectification

Art. 16 GDPR

Correction of inaccurate personal data.

Self-service edits plus a support channel.

Right to restrict processing & to object

Art. 18, 21 GDPR

Freeze during disputes; absolute objection to direct marketing.

Portugal's não-incomode list covers telemarketing opt-outs; honour email objections immediately.

Automated decision-making

Art. 22 GDPR

Protection against solely automated significant decisions.

Disclose profiling logic and provide human review for consequential decisions.

Tools that cover Portugal

Services we'd shortlist for this jurisdiction. Links may be affiliate links.

  • privacy policy

    iubenda

    Portuguese-language privacy and cookie policies kept current with Law 58/2019.

    Visit iubenda →
  • cookie consent

    Cookiebot

    CMP with Portuguese banners and automatic tracker scanning.

    Visit Cookiebot →
  • dpa template

    Termly

    Affordable DPA templates with SCC modules for transfer documentation.

    Visit Termly →

Frequently asked questions

What was Portugal's first big GDPR lesson?

The Hospital do Barreiro fine: 985 accounts had 'doctor' access but the hospital employed fewer than 300 doctors. Map accounts to real people, apply least privilege, and audit access — the CNPD treats loose access control as a standalone violation.

Why did the CNPD suspend Portugal's census?

Censos 2021 used Cloudflare under the invalidated Privacy Shield, and the CNPD ordered the transfer stopped within 12 hours. The lesson for startups: know which infrastructure vendors move data to the US, and keep their transfer mechanism documented.

Does Portuguese law diverge from GDPR anywhere notable?

Law 58/2019 sets the digital age of consent at 13, regulates employee monitoring tightly (video surveillance cannot be used for performance evaluation), and adds deceased-persons provisions. Employer monitoring rules are the trap for HR tools.

Is an English-only privacy policy enough for Portugal?

For developer tools and B2B, generally yes. For consumer services marketed in Portuguese, provide a Portuguese notice — intelligibility to the actual audience is the legal test.

Similar jurisdictions

Free download

Get GDPR updates for Portugal

A one-page privacy audit checklist covering the requirements that regulators actually fine for — cookie consent, breach runbooks, DPAs, and data subject request handling. We email occasional updates when the law changes; unsubscribe anytime.

No spam. Unsubscribe anytime — we practice what we document.