Privacy International defends the right to privacy across the world, and fights surveillance and other intrusions into private life by governments and corporations. Read more »


I. Legal framework

Constitutional privacy and data protection framework

The Portuguese Constitution has extensive provisions on protecting privacy, secrecy of communications and data protection.1

Article 26 provides "everyone shall possess the right to a personal identity, to the development of their personality, to civil capacity, to citizenship, to a good name and reputation, to their likeness, to speak out, to protect the privacy of their personal and family life, and to legal protection against any form of discrimination; the law shall lay down effective guarantees against the procurement and misuse of information concerning persons and families and its use contrary to human dignity; the law shall guarantee the personal dignity and genetic identity of the human person, particularly in the creation, development and use of technologies and in scientific experimentation; deprivation of citizenship and restrictions on civil capacity may only occur in such cases and under such terms as may be provided for by law, and shall not be based on political motives."2

Article 34 provides the inviolability of "personal homes and the secrecy of correspondence and other means of private communication"; "entry into a citizen’s home" only by competent judicial authority and after complying with due process requirements; and a bar on non-consensual entry of a person's home at night unless in pursuit of a criminal, or with judicial authorisation as laid down by law. The article also prohibits public authorities from interfering with correspondence, telecommunications or other means of communication unless as provided by law in relation to criminal proceedings.3

In 1997, Article 35 of the Constitution was amended to give citizens a right to data protection. The Article provides that "every citizen shall possess the right to access to all computerised data that concern him, to require that they be corrected and updated, and to be informed of the purpose for which they are intended, all as laid down by law; the law shall define the concept of personal data, together with the terms and conditions applicable to its automated treatment and its linkage, transmission and use, and shall guarantee its protection, particularly by means of an independent administrative body; computers shall not be used to treat data concerning philosophical or political convictions, party or trade union affiliations, religious beliefs, private life or ethnic origins, save with the express consent of the data subject, with authorisation provided for by law and with guarantees of non-discrimination, or for the purpose of processing statistical data that cannot be individually identified; third-party access to personal data shall be prohibited, save in exceptional cases provided for by law; the allocation of a single national number to any citizen shall be prohibited; everyone shall be guaranteed free access to public-use computer networks, and the law shall define both the rules that shall apply to cross-border data flows and the appropriate means for protecting personal data and such other data as may justifiably be safeguarded in the national interest; personal data contained in manual files shall enjoy the same protection as that provided for in the previous paragraphs, as laid down by law."4

Privacy and data protection laws and regulations

Comprehensive law

The 1998 Act on the Protection of Personal Data adopts the European Union (EU) Data Protection Directive requirements into Portuguese law.5 It limits the collection, use and dissemination of personal information in manual or electronic form. It also applies to video surveillance or "other forms of capture, processing and dissemination of sound and images." It replaces the 1991 Act on the Protection of Personal Data with Regard to Automatic Processing.6

Sector-based laws

On 18 August 2004, the Parliament enacted Law No. 41/2004,7 which implemented the European Directive on Privacy and Electronic Communications (2002/58/EC) without incorporating the Directive's Article 13 on unsolicited communications. That article had already been implemented in Law No. 7/2004,8 which also implemented the European Directive on Electronic Commerce (2000/31/EC). Law No. 41/2004 also repealed Law No. 69/98,9 which implemented the European Union Telecommunications Privacy Directive (1997/66/EC).

Data protection authority

The National Data Protection Commission (Comissão Nacional de Protecção de Dados, or CNPD) is charged with controlling and enforcing the laws on the protection of personal data.10 The Commission functioned as part of the National Parliament until 2004. In 2004, it became an independent agency that is directly responsible to the Parliament.11 Its functions are to register existing databases containing private data, authorise, and control such databases, issue directives, and oversee the Schengen Information System (SIS). The number of investigations and inspections conducted has remained fairly stable in the past six years, fluctuating between a low of 183 in 2004 and a high of 223 in 2001. There were 207 investigations and inspections conducted in 2006. Inspections fell somewhat in 2006 when CNPD, in cooperation with law enforcement, asked those authorities to inspect video surveillance systems. The number of complaints received by the Commission has also remained somewhat steady: 173 in 2003, 156 in 2004, 183 in 2005, 177 in 2006, and an increase to 212 in 2008.12

The number of referrals for criminal prosecution to the Public Prosecution Service is very low due to the existence of a fine system for the transgressions. There was one referral in 2001, two in 2002, one in 2003, and none from 2004 through 2006. The Commission applied 47 fines in 2006, totalling 75,000 EUR, but in 2008, there was a substantial increase in the fines applied: 151 fines, totalling approximately €366,000.13 The Commission authorised 2,146 databases in 2006, compared with 2,440 in 2004 and 1,858 in 2005.14 It issued opinions on obtaining subscriber information from telecommunications providers, access to marketing databases by the Criminal Investigation Police, denied access by the Information and Security Service to the information system of the Aliens and Frontiers Department, approved transborder data flows to the United States when the receiving company promised to protect the personal data collected pursuant to European data protection legal standards,15 The Commission also recently prohibited Google’s Street Viewfrom gathering photographs of Portuguese streets for its databases due to concerns about the company's ability to guarantee the anonymity of Portuguese citizens and of their vehicles.16

In January 2008, the CNPD launched "Project DADUS" by establishing a website aimed at schools.  The project allows teachers to access educational content through a data protection programme.17 It is aimed at creating awareness among students between the ages of ten and 15 about issues relating to privacy and data protection. Teachers and their classes are granted access to interactive themed "units" with activities and talking points.18 The Project covers a wide range of subjects, including an introduction to data protection, as well as modules on social networking and video surveillance.19

In 2008, the CNPD  hosted the Iberian-American Meeting on Data Protection which approved Directives for the Harmonisation of Data Protection in the Iberian-American Community and the Lisbon Declaration. The Lisbon Declaration highlighted the recent developments in some countries for the adoption of data protection and stressed the importance of safeguarding the fundamental right to data protection in international transborder flows of personal data.20

Major privacy and data protection case law

There is no major privacy or data protection case law to report in the last two years.