#privacy: GDPR implementation law passed in Portugal

The EU’s General Data Protection Regulation came into effect on May 25th 2018, since when organisations both in Europe and beyond have been collaborating with regional data privacy regulators to ensure legislative compliance with stronger data protection standards.

While the new laws have inspired similar legal frameworks within regimes around the world, only now has the GDPR been implemented in Portugal.

The GDPR brings heightened data protection standards built upon the laws’ founding ethics of transparency, control and accountability. But Brussels has left it to individual EU Member States to implement their own laws that factor in GDPR compliance.

Portugal is the third-to-last Member State to update its national data protection laws to fall in line with those who have gone before.

The laws apply to the processing of all private and personal data carried out in Portugal, “regardless of the public or private nature of the controller or the processor,” and includes public interest missions.

The laws may also be applicable to data processing that takes place beyond Portugal’s geographic borders, should that processing be carried out for an organisation in Portugal or involve the personal data of any of the country’s citizens.

Included in the laws are a number of “very serious offences”, which include the processing of personal data without the explicit consent of the data subject, or in a manner which otherwise contravenes the standards laid out within the GDPR. It will also be unlawful to charge unreasonable fees to provide data under article 12 of the GDPR, and to refuse to hand over information collected on any one individual.

Portugal’s new data law suite includes information retention periods based on the nature of the data. The individual’s right to data erasure may only be exercised when the data retention period is over.

Financial penalties leveraged against companies deemed in violation of the new standards reach from €5,000 to €20,000,000, or 4% whichever is greater, while a maximum penalty of €500,000 can be leveraged against a natural person.

The economic size of a violating entity, the time-length of an infraction, and the size of the violating entity are three factors that will be taken into account by data protection authorities when calculating the scale of enforceable fines.


PrivSec Conferences will bring together leading speakers and experts from privacy and security to deliver compelling content via solo presentations, panel discussions, debates, roundtables and workshops.

For more information on upcoming events, visit the website.

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.