Privacy Laws

Portugal's data protection in comparison to the GDPR

The flag of Portugal with the capital in the background
© bennymarty / | #173183147

General overview

The primary regulatory body overseeing data protection in Portugal is the Comissão Nacional de Protecção de Dados (CNPD). The GDPR became applicable in Portugal on May 25, 2018, and was further implemented through Portuguese Law No. 58/2019 of August 8, known as the Data Protection Law.

GDPR opening clauses

Portugal has adapted the GDPR through its Data Protection Law, which was published on August 8, 2019. This law assures the execution of GDPR within the Portuguese legal system and provides additional guidelines and regulations.

Key differences and national specifics

  • Sector-specific Laws: Portugal has additional data protection obligations in certain sector-specific laws. For example, Law No. 12/2005 focuses on data protection regarding genetic and health information, while Law No. 41/2004 is specific to the electronic communications sector.
  • Criminal offences and penalties: Law No. 59/2009 transposes Directive (EU) 2016/680, which deals with the processing of personal data for the prevention, investigation, detection, or prosecution of criminal offences.
  • Guidelines by CNPD: The CNPD has issued various guidelines, including guidance on Data Protection Officers (DPOs), electronic direct marketing communications, and organizational and security measures for data processing.
  • Specific contexts: The CNPD has also issued opinions on the processing of personal data in specific contexts such as health, human resources, marketing, and telecommunications.


Portugal has a comprehensive framework for data protection that not only incorporates the GDPR but also includes additional sector-specific laws and guidelines issued by the CNPD. These additional provisions and guidelines provide a more detailed roadmap for compliance, especially in specialized sectors like healthcare, telecommunications, and criminal justice.