Privacy International defends the right to privacy across the world, and fights surveillance and other intrusions into private life by governments and corporations. Read more »


III. Privacy topics

Internet and consumer privacy


In January 2004, the Decree-Law No. 7/2004 for information society services1 started to regulate, among other things, unsolicited communications for marketing purposes providing direct measures of protection against the invasion of privacy. The Decree-Law transposes EU Directive 2000/31 and, at Article 22, prohibits the sending of unsolicited communications for the purposes of marketing unless the parties to whom they are sent ask request that no further such communications be sent to them.2

In September 2005, the CNPD published general principles related to electronic communications for political marketing. The principles clarified that opt-in rules apply not only to commercial marketing, but also to the electronic messages of a civil or political nature.3

In March 2009, the Decree Law No. 62/2009 modified Decree-Law No. 7/2004 by requiring that the Directorate-General of the Consumer (DGC) update a list of people nationwide who wish not to receive general commercial communications. Organisations that promote the sending of commercial messages for direct marketing purposes are required to check the list, updated quarterly by the DGC and available upon request. The practice of sending communications materials electronically to people on the lists is prohibited.4


The protection of online personal data against deliberate attempts at accessing the IT systems of others is covered by Law 109/2009 on Cybercrime. Further, Law 41/2004 imposes duties on any company offering network or electronic communications services to take adequate steps to guarantee an adequate level of cybersecurity,5 and ensure that the electronic communications that they offer are inviolable.6

Online behavioural marketing and search engine privacy

There is nothing to report with respect to online behavioural marketing and search engine privacy.

Online social networks and virtual communities

There is nothing to report with respect to online social networks and virtual communities.

Online youth safety

There is nothing to report with respect to online youth safety.

Workplace privacy

In 2003, the CNPD published "Guidelines on Privacy in the Workplace."7 These guidelines establish that information and contents of phone calls, emails, and Internet access for the private use of a worker is protected as private data and must be respected as such by the employer, although the employer is still free to restrict such personal use of office facilities by the employee by using generic means of monitoring, and avoiding as far as possible any individual monitoring of personal data.

In 2007, the CNPD prohibited the reporting of worker absenteeism due to strike action.8 The Director-General of Administration and Public Works (DGAEP) collects aggregate data on workers on strike and publishes the aggregate data on the Internet.  The Director-General of taxation began to require that the identification numbers of workers on strike be submitted within 48 hours, via a software system, so that income could be properly allocated. The CNPD found that the automatic and independent treatment of strike data called into question the legality of this decision. Article 35 of the Constitution, as well as Art. 7 of Act No. 67/98, prohibit computer treatment of political convictions, and the CNPD determined that strike participation is a political conviction. Therefore, absence due to strike action should be reported normally along with other absences as opposed to receiving discriminatory treatment which singles out strike participation.

In January 2009, Law 7/2009 was passed to limit the rights of employers with respect to their employees' biometric and other personal data.9 In essence, the law prohibits employers from examining employees' private emails that pass through the employer's computer network.10 Furthermore, employees cannot be asked to provide information regarding their personal life and whether they are pregnant, except when the provision of such information relates to the employees' capability to perform their jobs.11 Any use of employees' biometric data must first be notified to the CNPD prior to processing such information.12

Health and genetic privacy

Medical records

In January 2005, the Health Ministry published a regulation13 adding HIV and AIDS to the list of diseases requiring compulsory notification by any doctor to the Epidemic Surveillance Centre of the National Health Institute. The stated objective is to identify the epidemic pattern of the disease. The form in question included all the data needed to identify a specific individual, including the person's full name. A later regulation14 provided for the reduction of the personal information to be collected, after negotiations with the National Data Protection Commission.

Genetic identification

Law 12/2005 regulates the collection and use of health and genetic information.15 It defines genetic information as health information of hereditary characteristics of one or more people, and includes information collected from family histories that can, by itself, declare the genetic make-up of a person.16 Medical information should be kept confidential and secure, may only be used by the medical system in accordance with express written consent, and should be kept separate from other personal information in databases by means of tiered access controls.17 Genetic information not of immediate impact on health (i.e., recessive genes, questions of identity, pre-symptomatic or pre-natal) is not considered medical information and should be kept separate from medical files, and inaccessible by doctors in the case of healthy persons.18 Genetic tests for disease in healthy individuals can only be performed with informed written consent and after counselling. The law also regulates the usage of genetic tests, prohibiting their use in denying health and life insurance or increasing premiums.19 Employers may not request genetic tests, even with the consent of employees, but they may require such tests either where the particular workplace may pose a health risk to workers with specific diseases or genetic susceptibilities “ in which case such tests may never be used to the worker's detriment “ or where there is a very serious risk to public health that is relevant to the worker™s health, in which case the testing must be undertaken by an agency or body that is independent of the employer.20 Neither adoption services nor future adoptive parents may request tests or use information from tests already performed in adoption cases.21

A law was published to regulate a national DNA database for criminal investigations and, upon the data subject's consent, for civil identification as well.22

Financial privacy

In September 2009, the CNPD adopted Resolution No. 765/2009, containing the principles governing the processing of personal data for the purpose of internal communication acts of irregular financial management (ethics hotlines).23 It regulates the rights of people accused of committing financial irregularities in so-called "whistleblowing" situations, particularly the accused person™s rights to access, correct, and delete data relating to her that is being processed as a result of such allegations. Such data must be collected in a way that is proportionate to the data subject™s rights, despite the existence of a public interest in promoting corporate transparency and responsibility.24 While the data subject must have access to the data and be able to correct it where it is incomplete or incorrect, she has no right whatsoever to find out the identity of the accuser.25