*A 2017 updated version of this report is available
Constitutional principles guarantee the protection of personal data in Portugal. In 1991, the country issued its first law regulating the use and control of personal data and creating a regulatory agency.
European Union Directives 95/46/EC, 97/66/EC, 2000/31/CE, and 2002/58/EC have since been transposed to the country’s domestic legal system, requiring an update of the law according to European Union standards. To this effect, the country enacted Law No. 67 of October 26, 1998, to regulate the protection of personal data; Law No. 69 of October 28, 1998, to regulate the protection of personal data and the protection of privacy in the telecommunications sector; Decree-Law No. 7 of January 7, 2004, to address aspects of electronic commerce in the internal market and processing of personal data; and Law No. 41 of August 18, 2004, which revoked Law No. 69, and now regulates the processing of personal data and the protection of privacy in the electronic communications sector.
It appears that reforms of the laws dealing with the protection of personal data and addressing the new technological developments that make use of such data will only be implemented after the European Commission issues a new directive in this regard.
I. Legal Framework
In Portugal, the protection of personal data used in connection with information technology is a fundamental right guaranteed by the Constitution of 1976.[1] However, it was only on April 29, 1991, that the country adopted its first law (Law No. 10) regulating the use and control of personal data and creating a regulatory agency on the subject.[2]
In 1995, the European Union issued Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data, [3] imposed a period of three years from its entry into force for the Member States to transpose it to their national rules.[4]
During Portugal’s Constitutional Review of 1997, article 35 of the Constitution was amended to enable an adequate transposition of Directive No. 95/46/EC into Portugal’s Constitutional Charter.[5] Subsequently, Law No. 67 of October 26, 1998, was enacted as the new law on protection of personal data, which transposed Directive No. 95/46/EC into Portugal’s domestic legislation and revoked Law No. 10 of April 29, 1991.[6]
On October 28, 1998, Law No. 69 was issued to regulate the protection of personal data and the protection of privacy in the telecommunications sector, transposing Directive 97/66/EC into Portugal’s domestic legal system.[7] On August 18, 2004, Law No. 41 was enacted to regulate the protection of personal data in the electronic communications sector.8 [8] Law No. 41 revoked Law No. 69 and transposed Directive 2002/58/EC on Privacy and Electronic Communications into Portugal’s domestic legislation.[9]
II. Current Law
A. Constitutional Principle
The Constitution determines that the law must establish effective guarantees against the acquisition and abusive use, or use that is contrary to human dignity, of information concerning individuals and families.[10] According to article 35 of the Constitution,
- All citizens have the right to access any computerized data relating to them; to require its correction and update; and to be informed of the use for which the data is intended, according to the law.
- The law determines the concept of personal data as well as the conditions applicable to automatic processing, connection, transmission, and use thereof, and must guarantee its protection by means of an independent administrative entity.
- Computerized storage may not be used for information concerning a person’s ideological or political convictions, a person’s political party or trade union affiliations, religious beliefs, private life, or ethnic origin, except where there is express consent from the data subject, authorization is provided for under the law with guarantees of nondiscrimination, or in the case of data for statistical purposes that do not identify individuals.
- Access to personal data of third parties is prohibited, excluding exceptional cases specified by law.
- It is prohibited to give citizens a national number.
- Everyone is guaranteed free access to public information networks, and the law defines the regulations applicable to the transnational data flows and the adequate forms of protection for personal data and for data that should be safeguarded in the national interest.
- Personal data kept on manual files must receive the same protection provided for in article 35 of the Constitution, in accordance with the law.[11]
B. Personal Data Protection
Personal data in Portugal is protected by Law No. 67 of October 26, 1998,[12] supplemented by Law No. 41 of August 18, 2004.[13]
1. Law No. 67 of October 26, 1998
According to article 6 of Law No. 67/98, personal data may be processed only if the data subject has unambiguously given his consent or if processing is necessary for
- (a) execution of a contract or contracts to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract or a declaration of his will to negotiate;
- (b) compliance with a legal obligation to which the controller is subject;
- (c) protection of the vital interests of the data subject if the latter is physically or legally incapable of giving his consent;
- (d) performance of a task carried out in the public interest or in the exercise of official authority vested in the controller or in a third party to whom the data are disclosed; [or]
- (e) pursuing the legitimate interests of the controller or the third party to whom the data are disclosed, except where such interests are overridden by interests of fundamental rights, freedoms, and guarantees of the data subject.[14]
2. Definitions
Law No. 67/98 defines “personal data” (dados pessoais) as information of any type, irrespective of the type of media involved, including sound and image, relating to an identified or identifiable natural person (the “data subject”).[15] An “identifiable person” is a person who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more elements specific to his physical, physiological, mental, economic, cultural, or social identity.[16]
The “processing of personal data” (tratamento de dados pessoais) is defined as any operation or set of operations performed upon personal data, whether entirely or partially by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, with “comparison or interconnection” as well as its blocking, erasure, or destruction.[17]
“Controller” (responsável pelo tratamento) is defined as the natural or legal person, public authority, agency, or any other body that alone or jointly with others determines the purposes and means of the processing of personal data; where the purposes and means of processing are determined by laws or regulations, the controller must be designated in the Act establishing its organization and functioning, or in the statutes of the legal or statutory body competent to process the personal data concerned.[18]
“Consent of the data subject” (consentimento do titular de dados) is defined as any free, specific, and informed expression of intent under which the data subject accepts the processing of his personal data.[19]
3. Law No. 41 of August 18, 2004
Law No. 41 of August 18, 2004, applies to the processing of personal data in the context of networks and electronic communication services available to the public, specifying and supplementing the provisions of Law No. 67/98.[20]
4. Transparency
The processing of personal data needs to be done transparently and with strict respect for the private life, as well as for fundamental rights, freedoms, and guarantees.[21]
5. Sensitive Data
The processing of personal data referring to philosophical or political beliefs, political party or union membership, religious faith, private life, and racial or ethnic origin, as well as the processing of data concerning a person’s health or sex life, including genetic data, is prohibited under article 7(1) of Law No. 67/98.[22]
Article 7(2) of the Law determines that the processing of the data mentioned in article 7(1) is allowed if permission is provided by law or authorized, in specific situations, by the National Commission of Data Protection (Comissão Nacional de Protecção de Dados – CNPD).[23]
The processing of the data referred to in article 7(1) of Law No. 67/98 must also be permitted when one of the following conditions applies:[24]
- (a) when it is necessary to protect the vital interests of the data subject or of another person where the data subject is physically or legally incapable of giving his consent;
- (b) [when processing is done] with the consent of the data subject by a foundation, association or nonprofit entity with a political, philosophical, religious or union character, within their legitimate activities, provided that the treatment concerns only members of these bodies or people who have regular contacts connected to their purposes, and the data are not disclosed to third parties without consent of the data subject;
- (c) when it relates to data that are manifestly made public by the data subject, provided his consent for their processing can be clearly inferred from his declarations;
- (d) when it is necessary for the declaration, exercise or defense of a right concerning a legal dispute and it is exclusively carried out for that purpose.
The processing of data relating to a person’s health and sex life, including genetic data, is permitted if it is necessary for the purposes of preventive medicine, medical diagnosis, provision of care or treatment, or management of health-care services, provided that those data are processed by a health professional bound by professional secrecy or by another person also subject to an equivalent obligation of secrecy, the CNPD is notified under article 27 of Law No. 67/98, and suitable safeguards are provided.[25]
Pursuant to article 12 of Law No. 67/98, the data subject has the right
- (a) except where otherwise provided by law, and at least in the cases referred to in articles 6(d) and 6(e) of Law No. 67/98, to object at any time, on compelling legitimate grounds relating to his particular situation, to the processing of data relating to him, and where there is a justified objection, the processing of data performed by the controller may no longer involve those data;
- (b) to object, on request and free of charge, to the processing of personal data relating to him which the controller anticipates being processed for the purposes of direct marketing or any other form of research, or to be informed before personal data are disclosed for the first time to third parties for the purposes of direct marketing or for use on behalf of third parties, and to be expressly offered the right to object, free of charge, tosuch disclosure or uses.[26]
6. Personal Profiles
According to article 5(1) of Law No. 67/98, personal data must be
- (a) processed lawfully and with respect for the principle of good faith;
- (b) collected for specified, explicit, and legitimate purposes and not further processed in a way incompatible with those purposes;
- (c) adequate, relevant, and not excessive in relation to the purposes for which they are collected and further processed;
- (d) accurate and, where necessary, updated, and with adequate measures taken to ensure that data that are inaccurate or incomplete are erased or corrected, taking into account the purposes for which they were collected or for which they will be further processed; [and]
- (e) kept in a way that permits identification of their subjects for no longer than is necessary for the purposes for which they were collected or for which they are further processed.[27]
The storing of data for historical, statistical, or scientific purposes for periods longer than specified in article 5(1)(e) of Law No. 67/98, which determines that personal data must be kept in a way that permits identification of their subjects for no longer than is necessary for the purposes for which they were collected or for which they are further processed, may be authorized by the CNPD at the request of the controller in the case of a legitimate interest.[28] The controller is charged with the duty to observe and comply with the provisions of article 5 of Law No. 67/98.[29]
7. Location Data
In cases where location data (dados de localização) are processed in addition to traffic data (dados de tráfego) relating to subscribers or users of public communication networks or electronic communication services available to the public, the processing of these data is allowed only if they are made anonymous.[30]
The recording, processing, and transmission of location data for/to organizations with legal authority to receive emergency calls for the purpose of responding to such calls are allowed, however.[31] The processing of location data is also permitted to the extent and for the time required for the rendering of value-added services, provided that prior consent of the subscribers or users is obtained.[32]
Companies that provide electronic communications services accessible to the public must inform the users or subscribers, prior to obtaining their consent, of the type of location data that will be processed, the duration and purposes of the processing, and the possible transmission of data to third parties for the purpose of providing value-added services.[33] Companies that provide electronic communications services accessible to the public must ensure that subscribers and users have the option, through simple and free means, [34] of withdrawing the consent previously given for the processing of location data referred to in article 7 of Law No. 41/2004 at any time,[35] and temporarily refusing the processing of such data for each network connection or for each transmission of a communication.[36]
The processing of location data must be limited to workers and employees of companies that offer network or electronic communication services accessible to the public or third parties providing value-added service, and must be restricted to what is necessary for such activity.[37]
According to Law No. 41/2004, “electronic communication” means any information exchanged or conveyed between a finite number of parties by means of an electronic communication service available to the public.[38]“Traffic data” is defined as any data processed for the purpose of sending a communication over an electronic communication network or for the billing thereof. [39] “Location data” means any data processed in an electronic communication network indicating the geographic position of the terminal equipment of a subscriber or any user of an electronic communication service available to the public.[40]
8. Security Measures to Protect Data
The controller must implement appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction, accidental loss, alteration, or unauthorized disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing. These measures must ensure, given the expertise and the cost of their implementation, a level of security appropriate to the risk that the processing presents and the nature of the data to be protected.[41]
Companies that offer networks and companies providing electronic communication services must work together towards the adoption of technical and organizational measures to ensure effective security of their services and, if necessary, the security of the network itself.[42] In case of a particular risk of a breach of network security, companies that provide electronic communication services to the public must inform the subscribers of such risk, as well as of possible solutions to prevent it and the likely cost of such measures, free of charge.[43]
Companies that offer networks or electronic communication services must ensure the inviolability of communications and related traffic data through public communication networks and electronic communication services available to the public.[44]
9. Anonymity
With regard to the possibility of remaining anonymous while using online services, it appears that Law No. 41/2004 only covers telephone communications. Article 9(1) determines that when caller identification is offered, the companies that provide electronic communication services to the public must ensure that subscribers who make the calls and have the option, through simple and free means, to prevent the caller’s identification from being revealed on each call to other users.[45] Companies that offer networks or electronic communication services to the public are required to make available to the public, and especially to subscribers, transparent and updated information on the possibilities outlined in article 9 of Law No. 41/2004.[46]
10. Data Protection Agency
The National Commission of Data Protection (Comissão Nacional de Protecção de Dados – CNPD) is the agency is charge of controlling and inspecting the enforcement of laws and regulations on the protection of personal data.[47]
11. User’s Rights and Remedies
When personal data is collected directly from the data subject, the controller or his representative must provide, unless it is already known by that person, notification of the existence of and the conditions for accessing and correcting such data, as necessary taking into account the specific circumstances of data collection to ensure that the person is provided with fair processing of the data.[48]
In the case of collection of data on open networks, the data subject must be informed, unless the person is already aware, that his personal data can travel on the network without security, and of the risk of that data being seen and used by unauthorized third parties.[49]
The data subject has the right to obtain from the controller, freely and without constraint, at reasonable intervals and without excessive delay or expense, the correction, erasure, or blocking of data whose processing does not comply with the provisions of Law No. 67/98, in particular because of the incomplete or inaccurate nature of the data.[50] The controller must also provide notification to third parties to whom the data have been disclosed of any correction, erasure, or blocking carried out in compliance with article 11(1)(d) of Law No. 67/98, unless this proves impossible.[51] Article 12 of Law No. 67/98 defines the situations where the data subject has the right to object to the processing of data relating to him.
Without prejudice to the right to submit a complaint to the CNPD, any person may resort to administrative or judicial measures to ensure compliance with the legal provisions on protection of personal data.[52] Any person who has suffered damage as a result of an unlawful processing of data or of any other acts incompatible with legal provisions in the area of personal data protection is entitled to receive compensation from the controller for the damage suffered.[53]
12. Criminal and Administrative Sanctions
Violations of the privacy provisions discussed above may result in fines and/or imprisonment.
Articles 35 to 45 of Law No. 67/98 and article 14 of Law No. 41/2004 establish the offenses (contra-ordenações)[54] that are punishable by a fine and the respective amount of such fines. For example, entities that fail to appoint a representative in accordance with article 4(5) of Law No. 67/98 or comply with the obligations established in articles 5, 10–13, 15, 16, and 31(3) of that Law are punishable by a minimum fine of 100000$00 (one hundred thousand escudos) (about US$626.00) and maximum of 1000000$00 (one million escudos) (about US$6,260.00).[55] The fine amount is doubled when the obligations contained in articles 6, 7, 8, 9, 19, and 20 of Law No. 67/98 are not fulfilled.[56]
The president of the CNPD is responsible for the application of the fines provided for in Law No. 67/98, subject to prior deliberation by the Commission.[57] Once approved by the president and after being discussed by the CNPD, the fine is enforceable if it is not challenged within the statutory period.[58]
Articles 43 to 49 of Law No. 67/98 list crimes that are punishable by up to two years in prison and the payment of a fine. Examples include noncompliance with obligations relating to data protection, [59] unauthorized access to personal data, [60] falsification or destruction of personaldata,[61] and breach of secrecy.[62]
13. Cross-border Application
On January 7, 2004, Portugal issued Decree-Law No. 7, which transposed EU Directive No. 2000/31/EC on Electronic Commerce.[63] According to Decree-Law No. 7, the courts and other authorities, including entities with a supervisory capacity, may restrict the circulation of a specific service provided by the “information society service” from another Member State of the European Union if it seriously injures or threatens, inter alia, the human dignity or the public order, including the protection of minors and the incitement to hatred based on race, sex, religion, or nationality, for reasons including the prevention or repression of crimes or social offenses.[64]
“Information society service” is defined as any service provided at a distance by electronic means for remuneration, or at a minimum within the context of an economic activity, following an individual request by the recipient.[65]
The restrictive measures taken under Decree-Law No. 7 must be preceded by a request to the Member State where the service provider is located asking that it put an end to the situation.[66] If the Member State does not act upon the request, or the measures taken are deemed inappropriate, notification to the CNPD and the Member State of the intention to take restrictive measures is required.[67] The notification provisions are without prejudice to judicial proceedings, including preliminary proceedings and acts carried out under a criminal investigation or concerning a violation of public order (ilícito de mera ordenação social).[68] The measures taken must be proportionate to the purposes of the safeguard.[69]
14. Retention of Data
On July 17, 2008, Law No. 32 was issued to regulate the storage and transmission of traffic data and location data relative to natural persons and legal entities, as well as the related data necessary to identify the subscriber or registered user, for purposes of investigation, detection, and prosecution of serious crimes by the competent authorities.[70] Law No. 32 transposed Directive 2006/24/EC[71] into Portugal’s domestic legal system.
According to Law No. 32, the retention of data revealing the content of communications is prohibited, without prejudice to the provisions of Law No. 41/2004 and criminal procedure law on the interception and recording of communications.[72]
The storage and transmission of data must be made exclusively in connection with the investigation, detection, and prosecution of serious crimes by the competent authorities.73 [73] The transmission of data to the competent authorities can only be authorized by a written order issued by a judge, in accordance with article 9 of Law No. 32/2008.[74] The files for the retention of data under Law No. 32/2008 must be separated from any other files used for other purposes.[75] The data subject cannot oppose their storage and transmission.[76]
III. Role of Data Protection Agencies
The National Commission of Data Protection (Comissão Nacional de Protecção de Dados – CNPD) was created by Law No. 10 of April 29, 1991.[77] The Commission was initially charged with generic responsibility for controlling the automated processing of personal data, with strict respect for human rights and the fundamental freedoms and guarantees provided by the Constitution and the law.[78]
With the revocation of Law No. 10/91 by Law No. 67/98,[79] the CNPD was established as the national authority charged with the power to supervise and monitor compliance with laws and regulations in the area of personal data protection, with strict respect for the human rights and fundamental freedoms and guarantees provided by the Constitution and the law.[80]
The CNPD has the power to investigate, inquire about, and access data that has been processed and to collect all the information necessary to carry out its supervisory duties;[81] order the blocking, erasure, or destruction of data, and prohibit, temporarily or permanently, the processing of personal data, even if included in open networks of data transmission from servers situated within Portuguese territory;[82] and issue opinions prior to the processing of personal data to ensure the publication of such data in a manner that complies with the law.[83]
In the event of repeated breaches of legal provisions regarding personal data, the CNPD can warn or publicly censure the controller, as well as raise the matter before the Assembly of the Republic, the government or other bodies or authorities, in accordance with their respective powers.[84] The CNPD has jurisdiction to intervene in proceedings for violations of Law No. 67/98 and must report to the Public Prosecutor’s Office (Ministério Público) criminal offenses that it gains knowledge of in the exercise of its functions, as well as take necessary and urgent precautionary measures to secure the evidence.[85]
The CNPD must be consulted on any legal provisions, or legal instruments being prepared in communitarian or international institutions, relating to the processing of personal data.[86] The Commission is responsible in particular for ensuring the right of access to information and the exercise of the right to correct and update such information;[87] acting on an application made by any person or by an association representing that person concerning the protection of the person’s rights and freedoms with regard to the processing of personal data, and informing the person of the outcome;[88] carrying out the request of any person to check the lawfulness of data processing where such processing is subject to restrictions on access or information, and informing the person of the completion of the verification;[89] assessing claims, complaints, and petitions from individuals;[90] and promoting the dissemination and clarification of rights relating to data protection and periodically publicizing its activities, including the publication of an annual report.[91] It is not clear, however, whether the CNPD has been focusing on online service providers in carrying out these functions or in the protection of personal data as a whole.
IV. Administrative Decisions
In 2010, the CNPD prohibited Google from gathering images in Portugal for Google’s Street View service because CNPD believed that the service did not guarantee the anonymity of people and vehicles, and that such service qualified as the processing of personal data.[92] Google asserted that the service was legal because it did not expose people’s faces or the license plates of vehicles due to the fact that before being made available to the public, such features of the images were blurred, making then unidentifiable.[93]
CNPD’s spokeswoman, Clara Guerra, explained that Google was supposed to provide CNPD with additional technical information regarding the feasibility of guaranteeing anonymity in images, which did not occur.[94] As a consequence, CNPD notified Google that the service was prohibited in Portugal because it did not meet the legal conditions regarding the protection of personal data.[95] Further research on the subject did not reveal whether Google’s service, Street View, has resumed its activities in Portugal.
V. Public and Scholarly Opinion
Since 2011 the CNPD has made available a survey that allows Internet users to verify their level of vulnerability to identity theft, both online and offline, in an effort to call people’s attention to the risks of not properly protecting their personal information.[96] The survey is a multiple choice quiz that concerns eleven daily situations in which a person may be subject to identity theft.[97] At the end of the test, a score is given for each topic covered, and an overall assessment of the degree of exposure to identity theft is provided.[98] Along with the survey, CNPD also released the guide Read and Learn, which contains advice for safer behavior, so that data such as one’s name, address, and bank account numbers, among others, do not fall into the wrong hands.[99] According to CNPD’s spokeswoman Clara Guerra, the purpose of these initiatives is to alert and sensitize people to the need for the protection of personal data.[100] The results of the survey are not available to the public; therefore it is not possible to assess how members of the public feel about online data protection.
Information regarding egregious cases of violations or questionable practices is scarce and, as such, it is not possible to evaluate whether there has been an impact strong enough to shape the public opinion regarding such practices. Research on the subject failed to identify any evaluations prepared by Portuguese scholars concerning the existing laws or comments on a balance between commercial interests of the service providers and the privacy interest of the users. Discussions of such issues are currently underway in the European Union.[101]
VI. Pending Reforms
Recently, the European Commission proposed a comprehensive reform of the EU’s 1995 data protection rules to strengthen online privacy rights and boost Europe’s digital economy.[102] According to the European Commission,
[t]echnological progress and globalisation have profoundly changed the way our data is collected, accessed and used. In addition, the 27 EU Member States have implemented the 1995 rules differently, resulting in divergences in enforcement. A single law will do away with the current fragmentation and costly administrative burdens, leading to savings for businesses of around €2.3 billion a year. The initiative will help reinforce consumer confidence in online services, providing a much needed boost to growth, jobs and innovation in Europe.[103]
Existing Portuguese laws related to the protection of personal data were issued to transpose earlier European Union directives into the country’s domestic legal system. Reforms in this regard will apparently be implemented only after the European Commission issues a new directive.
Prepared by Eduardo Soares
Senior Foreign Law Specialist
June 2012
[1] CONSTITUIÇÃO DA REPÚBLICA PORTUGUESA [C.R.P.] (Constitutional Revision VII (2005)) art. 35, available at ASSEMBLEIA DA REPÚBLICA [ASSEMBLY OF THE REPUBLIC], http://www.parlamento.pt/Legislacao/Paginas/ConstituicaoRepublicaPortuguesa.aspx.
[2] Lei No. 10/91, de 29 de Abril, available at PORTAL DAS FINANÇAS [FINANCE PORTAL], http://info.portaldasfinancas.gov.pt/NR/rdonlyres/54F233C0-FFAA-4C93-B5BA-E4D615916D4C/0/lei_10-91_de_29_de_abril_i_serie_a.pdf.
[3] Directive 95/46/EC, of the European Parliament and of the Council of 24 October 1995 on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data, 1995 O.J. (L 281) 31, http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX%3A31995L0046
%3Aen%3AHTML.
[4] Id. arts. 1–4.
[5] QUARTA REVISÃO CONSTITUCIONAL, Lei No. 1/97, de 20 de Setembro, art. 18, available at PROCURADORIA-GERAL DISTRITAL DE LISBOA [LISBOA ATTORNEY GENERAL’S OFFICE], http://www.pgdlisboa.pt/pgdl/leis/lei_mostra_articulado.php?nid=11&tabela=
leis&ficha=1&pagina=1.
[6] Lei No. 67/98, de 26 de Outubro, Lei da Protecção de Dados Pessoais [Personal Data Protection Law], http://www.pgdlisboa.pt/pgdl/leis/lei_mostra_articulado.php?nid=156&tabela=
leis&ficha=1&pagina=1.
[7] Lei No. 69/98, de 28 de Outubro, available at COMISSÃO NACIONAL DE PROTECÇÃO DE DADOS [NATIONAL COMMISSION OF DATA PROTECTION], http://www.cnpd.pt/bin/legis/nacional/lei_6998.htm.
[8] Lei No. 41/2004, de 18 de Agosto, http://www.pgdlisboa.pt/pgdl/leis/lei_mostra_articulado.php?nid=707&tabela=
leis&ficha=1&pagina=1.
[9] Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications), 2002 O.J. (L 201) 37, http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX%3A32002L0058%3
Aen%3AHTML.
[10] 10 C.R.P. art. 26(2).
[11] Id. art. 35 (translation by author).
[12] Lei No. 67/98, supra note 6.
[13] Lei No. 41/2004, supra note 8.
[14] Lei No. 67/98, art. 6 (translation by author).
[15] Id. art. 3(a).
[16] Id.
[17] Id. art. 3(b).
[18] Id. art. 3(d).
[19] Id. art. 3(h).
[20] Lei No. 41/2004, supra note 8, art. 1(2).
[21] Lei No. 67/98, supra note 6, art. 2.
[22] Id. art. 7(1).
[23] Id. art. 7(2). Article 22(1) of Law No. 67/98 determines that CNPD is the national authority charged with the power to supervise and monitor compliance with the laws and regulations in the area of personal data protection, with strict respect for the human rights and the fundamental freedoms and guarantees provided by the Constitution and the law.
[24] Id. art. 7(3).
[25] Id. art. 7(4).
[26] Id. art. 12 (translation by author).
[27] Id. art. 5(1) (translation by author).
[28] Id. art. 5(2). There is a legitimate interest when it is not contrary to the law and can even be protected by it. JOÃO MELO FRANCO & ANTÓNIO HERLANDER ANTUNES MARTINS, DICIONÁRIO DE CONCEITOS E PRINCÍPIOS JURÍDICOS: NA DOUTRINA E NA JURISPRUDÊNCIA 505 (Coimbra: Livraria Almedina, 1995).
[29] Id. art. 5(3).
[30] Lei No. 41/2004, supra note 8, art. 7(1).
[31] Id. art. 7(2).
[32] Id. art. 7(3).
[33] Id. art. 7(4).
[34] Id. art. 7(5).
[35] Id. art. 7(5)(a).
[36] Id. art. 7(5)(b).
[37] Id. art. 7(6).
[38] Id. art. 2(1)(a).
[39] Id. art. 2(1)(d).
[40] Id. art. 2(1)(e).
[41] Lei No. 67/98, supra note 6, art. 14(1).
[42] Lei No. 41/2004, supra note 8, art. 3(1).
[43] Id. art. 3(3).
[44] Id. art. 4(1).
[45] Id. art. 9(1).
[46] Id. art. 9(7).
[47] O que é a CNPD, COMISSÃO NACIONAL DE PROTECÇÃO DE DADOS, http://www.cnpd.pt/bin/cnpd/acnpd.htm (last visited May 15, 2012).
[48] Lei No. 67/98, supra note 6, art. 10(1).
[49] Id. art. 10(4).
[50] Id. art. 11(1)(d).
[51] Id. art. 11(1)(e).
[52] Id. art. 33.
[53] Id. art. 34(1).
[54] Decree-Law No. 433 of October 27, 1982, defines “offense” (contra-ordenação) as any unlawful act that can be characterized as an offense to which a fine is imposed. Decreto-Lei No. 433/82, de 27 de Outubro, art. 1, http://www.pgdlisboa.pt/pgdl/leis/lei_mostra_articulado.php?nid=166&tabela=leis.
[55] Lei No. 67/98, supra note 6, art. 38(1).
[56] Id. art. 38(2).
[57] Lei No. 67/98, supra note 6, art. 41(1).
[58] Id. art. 41(2).
[59] Id. art. 43.
[60] Id. art. 44.
[61] Id. art. 45.
[62] Id. art. 47.
[63] Directive 2000/31/EC of the European Parliament and of the Council of 8 June 2000 on Certain Legal Aspects of Information Society Services, In Particular Electronic Commerce, in the Internal Market (Directive on Electronic Commerce), 2000 O.J. (L 178) 1, http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX%3A32000L0031%3
AEN%3AHTML.
[64] Decreto-Lei No. 7/2004, de 7 de Janeiro, art. 7(1)(a), http://www.pgdlisboa.pt/pgdl/leis/lei_mostra_articulado.php?nid=1399&tabela=
leis&ficha=1&pagina=1&.
[65] Id. art. 3(1).
[66] Id. art. 7(2)(a).
[67] Id. art. 7(2)(b).
[68] Id. art. 7(3).
[69] Id. art. 7(4).
[70] Lei No. 32/2008, de 17 de Julho, art. 1(1), http://www.pgdlisboa.pt/pgdl/leis/lei_mostra_articulado.php?nid=1264&tabela=
leis&ficha=1&pagina=1&.
[71] Directive 2006/24/EC of the European Parliament and of the Council of 15 March 2006 on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks and amending Directive 2002/58/EC, 2006 O.J. (L 105) 54, http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ%3AL%3A2006%3A105%3A00
54%3A01%3AEN%3AHTML.
[72] Lei No. 32/2008, art. 1(2).
[73] Id. art. 3(1).
[74] Id. art. 3(2).
[75] Id. art. 3(3).
[76] Id. art. 3(4).
[77] Lei No. 10/91, supra note 2, art. 4(1).
[78] Id. art. 4(1).
[79] Lei No. 67/98, supra note 6, art. 51.
[80] Id. art. 22(1).
[81] Id. art. 22(3)(a).
[82] Id. art. 22(3)(b).
[83] Id. art. 22(3)(c).
[84] Id. art. 22(4).
[85] Id. art. 22(5).
[86] Id. art. 22(2).
[87] Id. art. 23(1)(g).
[88] Id. art. 23(1)(i).
[89] Id. art. 23(1)(j).
[90] Id. art. 23(1)(k).
[91] Id. art. 23(1)(p).
[92] Google Impedido de Recolher Imagens em Portugal, JORNAL DE NOTÍCIAS (Aug. 4, 2010), http://www.jn.pt/PaginaInicial/Tecnologia/Interior.aspx?content_id=1633931&page=-1.
[93] Id.
[94] Id.
[95] Id.
[95] Dia da Proteção de Dados Assinalado em Portugal, TEK (Jan. 27, 2011), http://tek.sapo.pt/noticias/computadores/dia_da_proteccao_de_dados_assinalado_
em_portu_1124953.html.
[97] Id.
[98] Id.
[99] Id.
[100] Id.
[101] Press Release, Europa, Commission Proposes a Comprehensive Reform of Data Protection Rules to Increase Users’ Control of Their Data and to Cut Costs for Businesses (Jan. 25, 2012), http://europa.eu/rapid/pressReleasesAction.do?reference=IP/12/46&format=HTML
&aged=0&language=EN&guiLanguage=en.
[102] Id. See also separate report on the European Union, supra, at 1.
[103] Id.
Last Updated: 12/30/2020