Portugal’s GDPR Law is Now in Effect

Written by: Chase Langhorne, Esq.

On August 8, Portugal’s long-awaited data protection law went into effect. The legislation was originally passed in June, but awaited Presidential signature and publication in the Official Journal. The official name of the legislation is known as “Lei de Execução do Regulamento Geral sobre a Proteção de Dados” (English translation: “Execution Law of the General Data Protection Regulation”) (the “Execution Law”). Portugal was one of three remaining EU member states that had yet to pass GDPR-implementing legislation. Now only Greece and Slovenia remain.

The Execution Law is largely the same as GDPR, but does contain some important variations.

Data Protection Officers (“DPO”)

The Execution Law provides for DPOs in the same manner as GDPR Articles 37 and 39, but also goes above and beyond this standard. The Execution Law includes that DPOs must:

  1. ensure audits are conducted;
  2. create awareness of the importance of early detection of security incidents; and
  3. ensure the relations with the data subjects in terms of data protection.

The Portuguese Data Protection Authority, Comissão Nacional de Protecção de Dados (“CNPD”) has noted that these requirements are in addition to what GDPR requires.

Minors Consent

In accordance with GDPR Article 8, the Execution Law establishes that, for information society services, processing of personal data of children older than 13 shall not require consent of a legal representative.

Certification Mechanisms

The Execution Law addresses the certification process as laid out in GDPR Article 43. The CNPD will provide the requirements to be considered by a certification body. Such certification body must be recognized by the Portuguese Institute for Accreditation (IPAC) prior to the authority issuing certifications.

Employee Data

Specific provisions are included to address employee consent and also the use of biometric data in the workplace. Namely, limiting the use of employee biometric data to access control and attendance control purposes.

Health and Genetic Data

Processing of health and genetic data is required to be limited to the “need-to-know” principle. Further, the data subjects must be notified of any access to his/her data, leaving the burden on the data controller to implement mechanisms to trace such access.


Contrary to GDPR Recital 27, the Execution Law provides for protection of special categories of data of the deceased. Those special categories are the same as those in GDPR Article 9. The appointed representative or heirs of the deceased have the ability to exercise the right of access, rectification, and right to be forgotten.

Social Security Data

Contrary to the data retention requirements of GDPR Article 5, the Execution Law contains a provision stating data related to Social Security retirement contributions is exempt from data retention deadlines.

Public Entities Exemption

Public entities are subject to fines, but the Execution Law grants the ability to request a three (3) year exemption period to come into compliance with the requirements of the Execution Law.


In addition to the penalties addressed in GDPR Article 83, the Execution Law provides for imprisonment of up to two (2) years, dependent on the circumstances.