Law: Law No. 58/2019, which Ensures the Implementation in the National Legal Order of the General Data Protection Regulation (Regulation (EU) 2016/679) on the Protection of Individuals with Regards the Processing of Personal Data and the Free Movement of Such Data (only available in Portuguese here) (the GDPR Implementation Law) and the General Data Protection Regulation (Regulation (EU) 2016/679)

Regulator: Portuguese data protection authority (CNPD)

Summary: Both the GDPR and the Law No. 58/2019, which Ensures the Implementation in the National Legal Order of the General Data Protection Regulation (Regulation (EU) 2016/679) on the Protection of Individuals with Regards the Processing of Personal Data and the Free Movement of Such Data (only available in Portuguese here) (the GDPR Implementation Law) are fully applicable in Portugal. However, in September 2019, the Portuguese data protection authority (CNPD) approved Decision No. 494/2019 (only available for download in Portuguese here), which sought to ensure compatibility with EU laws and full effectiveness of the GDPR by disregarding certain articles of the GDPR Implementation Law. Such articles included: Article 28(3) on employee consent to data processing, Article 39(1) on the determination of fines, and Article 20(1) on data subjects' right to information. The CNPD's general duty is to supervise and monitor compliance with the laws and regulations in the area of personal data protection with strict respect for human rights and the fundamental freedoms and guarantees enshrined in the Constitution of the Portuguese Republic 1976 (the Constitution) and the national legislation. The CNPD has issued fines, and published decisions on the interpretation of data protection requirements, regulations for internal procedures, guidelines and authorizations.

Portugal has also ratified Protocol amending the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (the Convention 108+).