Last review date: 27 December 2024

☒ omnibus – all personal data

☒ sector-specific

E.g., telecoms, public healthcare sector

☒ constitutional

Last review date: 27 December 2024

• EU General Data Protection Regulation (GDPR)
• Personal Data Protection and Telecommunication Privacy Act (Law no. 41/2004, of 18 August, as amended by Law 46/2012 of 29 August)
• Portuguese law that implemented the GDPR (Law no. 58/2019, of 8 August) and replaced the Portuguese Data Protection Act (Law no. 67/98)
• Law no. 59/2019, of 8 August, concerning personal data for prevention, detection, investigation or repression of criminal infractions¹
• Regulation no. 798/2018 that foresees a list of personal data processing activities that must be subject to a Data Protection Impact Assessment ("DPIA")
• Law no. 46/2018 that establishes the legal framework for cyberspace security, transposing Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union
• Decree-Law no. 65/2021 that regulates the Legal Framework for Cyberspace Security and defines cybersecurity certification obligations in implementation of Regulation (EU) 2019/881 of the European Parliament of 17 April 2019
• Regulation nº 183/2022, establishing technical instructions on communications between entities and the CNCS.
• Law no. 18/2024, that regulates access to metadata relating to electronic communications for criminal investigation purposes, amending Law no. 32/2008, of 17 July, which transposes Directive 2006/24/EC of the European Parliament and of the Council of 15 March on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks into the national legal order;

[1] A note is necessary, however, to observe that although this statute remains in effect, some of its crucial provisions have been considered unconstitutional (and thus unapplicable) in a decision that is binding and unappealable. This Decision from the Constitutional Court, in 2022, as met by the legislator with a proposal for a new reading of those provisions, in October 2023. This new reading was, however, again judged unconstitutional and has, since, been set aside by the Constitutional Court too. No posterior proposal has been introduced.

National law:

• Law no. 46/2018 that establishes the legal framework for cyberspace security, transposing Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union
• Decree-Law no. 65/2021, of 30 June, that regulates the legal framework for cyberspace security and defines the obligations in matters of certification of cybersecurity, in execution of Regulation (EU) 2019/881, of the European Parliament, of 19 April 2019.
• Regulation no. 183/2022 establishing technical instructions on communications between entities and the National Cyber Security Centre (“CNCS”, as explained below).

Last review date: 27 December 2024

Regulation (EU) 2018/1807 of the European Parliament and of the Council of 14 November 2018 on a framework for the free flow of non-personal data in the European Union 

Decree-Law no. 85/2024, that implements Regulation (EU) 2018/1807 on the framework for the free flow of non-personal data in the European Union.

Law no. 68/2021, that approves the general principles on open data and transposes into national law Directive (EU) 2019/1024 of the European Parliament and of the Council of 20 June 2019 on open data and the re-use of public sector information, amending Law no. 26/2016 of 22 August.

Regulation (EU) 2024/903 of the European Parliament and of the Council of 13 March 2024 laying down measures for a high level of public sector interoperability across the Union 

Regulation (EU) 2023/2854 of the European Parliament and of the Council of 13 December 2023 on harmonised rules on fair access to and use of data and amending Regulation (EU) 2017/2394 and Directive (EU) 2020/1828

Regulation (EU) 2024/1028 of the European Parliament and of the Council of 11 April 2024 on data collection and sharing relating to short-term accommodation rental services and amending Regulation (EU) 2018/1724

Regulation (Eu) 2022/868 of the European Parliament and of the Council of 30 May 2022 on European data governance and amending Regulation (EU) 2018/1724 (Data Governance Act), as complemented by Ordinance n.º 126/2024/1, of 1 April.

Last review date: 27 December 2024

The most significant expected change pertains to the cybersecurity framework, particularly the national implementation of the NIS 2 Directive. Currently, a draft law is under public consultation, detailing the obligations that clarify the NIS 2 framework. These obligations outline the responsibilities of the board of directors and management of important and essential entities, presenting a demanding scenario for these corporate bodies. We expect that the relevant authorities will provide further clarity on the applicability of this responsibility regime.