Last review date: 27 December 2024
The Portuguese data protection authority is called CNPD – Comissão Nacional de Protecção de Dados ("CNPD) and whose mandate includes regulatory and oversight powers over data protection and privacy matters, and the Portuguese cybersecurity authority, which is called CNCS -Centro Nacional de Cibersegurança (“CNCS”), whose mandate includes regulatory and oversight powers over cyberspace security – assisted in those tasks by the Portuguese national authority for telecommunications ("ANACOM”).
Last review date: 27 December 2024
CNPD has published its Activity Plan for 2025, available here, containing the following enforcement priorities:
- Creation of the ‘Data Protection Officer Portal’ - aimed at responding to the need to create an information and training space dedicated to data protection officers ("DPO") and with a particular concern with the enforcement of the obligations of DPOs);
- Intensify the approach to the connection of security risks and the increasing risks to data protection – however, it is unclear how the authority intends to accomplish this;
- Promote greater coordination with controllers and processors – CNPD intends to supervise more closely and strengthen the relationship with controllers and processors.
Simultaneously, with the foreseeable implementation of the NIS 2 Directive in 2025, it is expected that CNCS enforces this Law and requires organizations to comply with the cybersecurity legal regime. Although there is no official document of CNCS attesting this expectation, the enforcement and supervision measures will most likely be directed primarily to big market players and consist of warnings.
Conversely, ANACOM has published pluriannual plan comprising its strategic objectives for the years of 2025 until 2027, available here. The following enforcement priorities are highlighted:
- Co-ordinate with the Authorities in the implementation of the Digital Services Act, ensuring the protection of users;
- Promote research and supervision of digital services;
- Implement the necessary measures to ensure the security and resilience of communications networks and services;
Last review date: 27 December 2024
Regulatory investigations or direct enforcement activity by data or cyber regulators are:
☒ Staying the same
Class actions/group actions under data or cyber regulation are:
☒ Increasing
Last review date: 27 December 2024
There are:
☒ administrative remedies from regulators and law enforcement
They may amount to EUR 20 million or 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher.
☒ criminal penalties from regulators and law enforcement
Pursuant to Sec. III of the Portuguese Data Protection Act, the following data protection infringements are considered criminal offenses:
- Non-compliance with obligations relating to processing for secondary purposes or combining of data sets – the infringer may be punished with imprisonment of up to one year or a fine of up to 120 days.
- Undue access – the infringer shall be liable to up to one year imprisonment or a fine up to 120 days. In certain circumstances, the penalty may be increased up to double the amount.
- Invalidation or destruction of personal data – the infringer shall be liable to up to two years' imprisonment or a fine of up to 240 days. The penalty shall be increased (up to double the amount) if the damage caused is particularly serious.
- Violation of the duty of secrecy – the infringer shall be liable to up to two years' imprisonment or a fine of up to 240 days. In certain circumstances, the penalty shall be increased by a maximum of 50%.
☒ private remedies
Individuals may, for example,
- file complaints with the data protection authorities
- claim damages for material or non-material damages
Certain organizations (e.g., consumer protection bodies) and competitors may issue cease-and-desist letters and claim for injunctive relief in case the violating party does not sign a cease and desist declaration.